One Login SAML Configuration

This guide details configuring a Guardrails application in Okta as well as the directory in Guardrails. Administrator access in Okta and Turbot/Owner permissions in Guardrails are required for configuration.

Create the directory in Guardrails

  1. In Guardrails, navigate to the root (Turbot) resource, then click on the Permissions tab (designated with a user icon), and finally on the Directory card.
  2. Click New Directory and select SAML.
  3. Enter the following information:
    • Title: The title for this directory that will display in the login screen.
    • Description: A description for this directory.
    • Entry Point: This is the identity provider's single sign on URL.
    • Issuer: This is the identity provider issuer URL .
    • Certificate: This is the Certificate from the identity provider
    • The Profile ID Template can generally be left to the default value, {{}. This is the unique identifier for any new user profile.
    • Under the Advanced tab, there is an option to Enable or Disable IdP-initiated SSO logins. If checked, IdP-initiated SSO will be allowed. There are security risks associated with allowing IdP-initiated SSO as the InResponseTo field cannot be used to identify SP-solicited SAML assertions. Please be fully aware of the security impact that not validating the InReponseTo field can have before making this change. Often, however, this configuration is set by an organizations security team, and can be verified prior to directory creation.
      • If a user attempts to log in using SAML and gets an InResponseTo is missing from response error, the IdP-initiated SSO box will need to be checked.
  4. Click Create.
  5. The directory is now created and will appear in the list of directories. The directory can be activated immediately, but it will not function correctly until the SAML app is configured within the SAML application.
  6. Click the Edit pencil next to the new directory. Scroll to the bottom of the window and copy the Callback URL.

OneLogin Configuration

  1. Login to your OneLogin Admin Portal.
  2. Navigate to the Onelogin applications page and click Add App.
  3. On the Applications tab, search for SAML Test Connector.
  4. Select SAML Test Connector (Advanced).
  5. Enter Turbot Guardrails into the Display Name text field.
  6. Click the Configuration tab. This displays a list of text fields:
    • Audience (Entity ID): Paste in the callback URL from the Guardrails Directory.
    • ACS (Consumer) URL Validator: Paste in the callback URL from the Guardrails Directory.
    • ACS (Consumer) URL: Paste in the callback URL from the Guardrails Directory.
  7. Click the Parameters tab on the left.
  8. Under SAML nameID format you can choose to keep this as unspecified or email, but for this example it will be set to unspecified. We will come back to this section in a moment, but first verify that the NameID Value is set to unspecified.
  9. Select SSO on the left side.
  10. Copy the Issuer URL and the SAML 2.0 Endpoint (HTTP) values. Store these in a text file for later.
  11. Change the SAML Signature Algorithm to SHA-256.
  12. Select the View Details option for the x.509 certificate and save this into a temporary text file.
  13. Click the Parameters page on the left side.
  14. Now in Parameters select the Plus (+) on the SAML test Connect Advanced Field table. Add in the following parameters using the + button.
  15. Once everything is configured, click Save.

Guardrails Directory Re-Configuration

  1. Now head back to your Guardrails SAML directory for OneLogin. Open the Guardrails Directory page from step 1
  2. Paste the previously copied SAML 2.0 Endpoint (HTTP) value from OneLogin into the Entry Point field, and the Onelogin Issuer URL into the Issuer field.
  3. Copy the x.509 certificate into the Guardrails Directory Certificate field.
  4. Under the Formats tab, set Name ID Format to unspecified. If you have decided to use email as the Name ID in OneLogin, select that option here.
  5. Click Update.
  6. On the Directories page, be sure to click the up arrow in the new directories' row to activate!
  7. You can now test your directory by logging in with your new SAML directory. Please note when you first login you will not have any permissions associated with your new profile. Once the associated SAML user profile exists, any existing administrator can assign proper rights.